Comments on How To Whitelist Hosts/IP Addresses In Postfix
How To Whitelist Hosts/IP Addresses In Postfix If you are administrating a mail server and use blacklists to block spam, you probably know this problem: from time to time your customers complain that they cannot receive emails from certain freemailers. Most often this happens because a freemailer was abused to send out spam and therefore got blacklisted. This short guide shows how you can whitelist such a mail server in Postfix to make your customers happy again.
15 Comment(s)
Comments
Sometimes you need to do manual whitelisting for mail users whose customers' admins don't respond to your complaints about their server settings.
Another option to consider ist automatic whitelisting by using the hand-crafted DNSWL ( http://www.dnswl.org/ ). You should also consider requesting to get added to DNSWL.
I use a simple shell script named dnswl-update.sh as a cron job to sync the data (see documentation for use of X-REPLACEME substitution):
#!/bin/sh
rsync --times rsync1.dnswl.org::dnswl/postfix-* /mypath/
cat /mypath/postfix-dnswl-header | sed "s/X-REPLACEME/X-MYSTRING/" > /etc/postfix/dnswl-header
cp /mypath/postfix-dnswl-permit /etc/postfix/dnswl-permit
In /etc/postfix/main.cf I added these two lines as first check_* commands within the smtpd_recipient_restrictions :
smtpd_recipient_restrictions =
[ ... ]
check_client_access cidr:/etc/postfix/dnswl-header,
check_client_access cidr:/etc/postfix/dnswl-permit,
[ ... ]
After that you restart Postfix.
/etc/init.d/postfix restart
My cron entry looks something like this and there is no need to restart or reload Postfix afterwards:
7 5,18 * * * /path-to-script/dnswl-update.sh &> /dev/null
Just thought I should mention that you can whitelist an entire subnet with:
111.222.33 OK
This does not work:
111.222.33.0/24 OK
111.222.33.* OK
regards
axel
use cidr: instead of hash:
and specify addresses like "111.222.33.0/24 OK"
and to test: postmap -q 111.222.33.42 cidr:rbl_override
Will wildcards work with domain names -- something like '*.example.org'?
Asking because Postfix currently rejects mail from addresses like bdlna.example.org due to an RBL rejecting that domain (names and addresses obfuscated):Oct 21 15:08:08 mail5 postfix/smtpd[24960]: NOQUEUE: reject: RCPT from bdlna.example.org[1.2.3.4]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using query.bondedsender.org; Return Path SenderScore Certified {formerly Bonded Sender} - http://www.senderscorecertified.com; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<bdlna.example.org>
Thanks!
Hi,
I also wonder if wildcard will work, because I also nees to allow *.facebook.com, *.google.com, etc.
Thanks.
With
check_client_access hash:/etc/postfix/rbl_override,Log File say Error
postfix/smtpd[28503]: error: open database /etc/postfix/rbl_override.db: No such file or directory
why .db ?
You forgot to run postmap /etc/postfix/rbl_override
when i add code as follows:
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access
in main.cf my mail server can't send or recieve any email.
Don't forget the comma at the end
Thank You!
Works!
I'm using ispconfig 3 And getting (I fudged the ip & domains...) (ip reverse does not match hostname & getting blocked)
Nov 8 08:35:06 titan postfix/smtpd[19349]: NOQUEUE: reject: RCPT from unknown[724.21.816.71]: 450 4.7.1 Client host rejected: cannot find your hostname, [724.21.816.71]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<thisnotmatchingreversedomain.com>
Line from my main.cf
smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
When I remove "reject_unknown_client_hostname" mail goes through as it should. I added the ip 724.21.816.71 as a client in ispconfig global white list & all shows as it should. Even logged into database & it shows correct. However it still fails, like postfix is not reading the mysql data.
The information in the mysql-virtual_client.cf to look up the data looks correct to me. Same as I used to log into mysql & view data.
Any ideas or way to debug further? I need the ip to be accepted even though reverse different (have contacted entity & told them it is wrong). Could bypass ispconfig & mysql but would like it to work as it should.
I want to whitelist all email doamins. Currently i have below line in recipient_domains
xyz.com OK
abc.se OK
How to modify so that i could whitelist all domains
Here we should have a space except for the first one.At least on Debian9.
mydomain.com OK seconddomain.com OK 127.0.0.1 OK
Cheers!
I have weird results, with this. The portion of main.cf I've edited looks like the following:
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_override,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org
check_policy_service unix:private/policyd-spf
I actually wanted to white list facebook's mail server but my email notifications were being blocked. Now, Facebook emails work but none of the other DSNBL services/blocks are being invoked. I had written a script to read my logs and convert them into a neatly formatted HTML page, for each service. The minute I added this whitelist - I swear - they all quit working.
Obviously this works, but it's better to do it through rspamd (which is far better at adding and removing delivery rules).